Oracle Cloud Infrastructure (OCI) - Onboarding
Instructions for Onboarding an Oracle Cloud Infrastructure Tenancy to InsightCloudSec
After InsightCloudSec is successfully installed, you're ready to start harvesting resources from your target Oracle Cloud Infrastructure (OCI) accounts. This documentation provides details on configuring Oracle Cloud(or OCI) to "talk" with InsightCloudSec securely for both admin and non-admin users and explains the different onboarding workflows you can expect for new and returning users.
- Check out the OCI Supported Services page for a list of supported resources.
- For details on supported resources across the complete InsightCloudSec platform, check out our Resources content, as well as subpages on Resource Terminology and Resource Type Categories.
Getting Started with Onboarding for OCI
Before you can begin the Oracle Cloud onboarding process, you'll need to login and open the InsightCloudSec Cloud Account Setup Wizard, which is a different experience depending on the type of user you are:
- First-time User: InsightCloudSec is freshly deployed and this will be the first time a CSP has been onboarded.
- Returning User: InsightCloudSec has one or more CSPs already onboarded and you would like to add a new Oracle Cloud account.
- Non-Admin User: You can interact with InsightCloudSec and are onboarding Oracle Cloud but do not have the appropriate access to grant InsightCloudSec access to your cloud account(s).
- Jump to the Non-Admin Onboarding for Oracle Cloud section of this page.
- Admin User: You can login to the Oracle Cloud console and have the appropriate access to grant InsightCloudSec access to your cloud account(s).
- Jump to the Admin Onboarding for Oracle Cloud section of the page.
In addition, we also provide instructions for:
- Existing Cloud Accounts: For information about modifying an existing OCI cloud account, check out the Cloud Account Setup & Management page.
We are here to help! If you have questions or concerns reach out to us through the [Customer Support Portal (https://insight.rapid7.com/login).
Configuration Information for Oracle Cloud
Oracle Cloud Details
In OCI, a tenancy is the top level construct. It is analogous to a project in GCP or a subscription within Azure. There are several steps that must be taken within the Oracle console to enable InsightCloudSec to get access to a tenancy, and this page provides those steps.
Additional Resources on OCI include:
- Check out our User Entitlements Matrix for more details on InsightCloudSec permissions and entitlements.
- Refer to Oracle's documentation for more details how OCI manages permissions/policies.
The Read-Only policy contains only read permissions for the OCI resources that InsightCloudSec supports. The policy can be obtained from our public S3 bucket. Note: This policy will need to be updated any time InsightCloudSec supports a new OCI service.
Power User Policy
The Power User policy contains various read and manage permissions for the OCI resources that InsightCloudSec supports. The policy can be obtained from our public S3 bucket.
- Note: This policy will need to be updated any time InsightCloudSec supports a new OCI service.
Non-Admin Onboarding for Oracle Cloud
If you've determined that you're not an Admin user or you're not sure, you will need to provide an Admin within your organization with the "Oracle Cloud Admin Instructions". Once the Admin has completed the instructions, they should be able to provide you with an answer and/or content for the following required fields:
- A Nickname for the Account
- A User ID
- A Tenancy ID
- Key Content
Steps for Non-Admin Onboarding
The steps to complete this process for both First-time Users and Returning Users are provided below. Step 2a and 2b provide specifics for the two user types.
1. Log in to your InsightCloudSec installation.
2-a. For first-time users a successful log in should launch the Onboard a Cloud Account workflow. You will need to select "Oracle Cloud" as your Cloud Service Provider, and then select "No - Help me identify the details needed. Click "Next" to start the onboarding process.
2-b. For returning users navigate to "Cloud --> Cloud Accounts" and select "Add Cloud". You will need to select "Oracle Cloud" as your Cloud Service Provider, and then select the "Don't have admin access?" option at the bottom right of the window.
3. Copy the details from the admin instructions and share them with your Admin.
4. Once your Admin has completed the setup they can provide you with the required information to complete the configuration.
5. Return to the onboarding workflow, input the Nickname, User ID, Tenancy ID, Key Content, and Fingerprint to finalize your OCI onboarding setup and click "Connect".
Admin Onboarding for Oracle Cloud
For administrative users this section includes step-by-step instructions for the configuration required in both the Oracle Cloud console and the InsightCloudSec Onboarding Wizard to connect.
If you are connecting to InsightCloudSec for the first time you will be greeted by a workflow that shares some details around InsightCloudSec capabilities and allows you to select your Cloud Service Provider to start the onboarding process.
If you have connected to InsightCloudSec previously but are setting up Oracle Cloud for the first time, you will need to navigate to "Cloud --> Cloud Accounts" and select the "Add Cloud" option to open the cloud onboarding.
Using either path above select "Oracle Cloud" as your CSP to get started with the admin onboarding.
OCI Login (Step 1)
In the InsightCloud Onboarding Wizard
1. Provide your OCI account with an identifiable Nickname.
2. Click Next to go to "2. User Account"
User Account (Step 2)
In the Oracle Console - Create a Group
1. Login to the Oracle console using the tenancy you would like to connect to InsightCloudSec.
2. From the main navigation menu icon at the top left (hamburger menu icon), click to expand and select "Identity & Security" and then select "Domains".
3. Select your domain from the list.
4. Select "Groups" from the side navigation and then select "Create group".
- Groups are required because IAM permissions are linked to groups and not individual accounts.
5. Give your group a name (for example: InsightCloudSec) then select "Create".
In the Oracle Console - Create a User Account & Add an API Key
1. From the main domain page in the Oracle Console, select "Users" and "Create user".
2. Complete the required user details as desired and ensure that the group you created earlier is selected, select "Create" when complete.
3. Once created, you will be redirected to the newly-created user's page. From the new user page, select "API keys" and select "Add API key".
- Note: In OCI an API Key is an RSA key pair in PEM format used for signing API requests. This process generates the key pair.
4. Select "Download private key" button, and then select "Add".
This is where you will download the API key. Save these details in a safe place.
5. In the Configuration file preview, copy the contents and save them in a safe location.
This preview contains the User ID, Tenancy ID, and Fingerprint. Save these details in a safe place.
In the InsightCloud Onboarding Wizard
1. Add the PEM Details from the configuration you just completed in the Oracle Console including User ID, Tenancy ID, Key Content, Fingerprint.
2. Click "Next" to go to "3. Policy & PEM" in the onboarding wizard.
Policy & PEM (Step 3)
In the Oracle Console
1. From the main menu icon at the top left select "Identity & Security" and then select "Policies".
2. Select the "Create Policy" button
3. Ensure you've enabled "Show manual editor", in the "Policy Builder" section, paste in either the Read-Only Policy or Power User Policy (linked in the InsightCloudSec onboarding).
- Ensure that the group name (“InsightCloudSec”, in our provided policies) matches that of the group created in earlier steps.
4. Select "Create" to submit the completed form.
In the InsightCloudSec Onboarding Wizard
5. Click Connect Account to finalize your Oracle Cloud onboarding.
Updated about 2 months ago